CN118337514A - Method and device for detecting intrusion of automobile CAN (controller area network) network, electronic equipment and storage medium - Google Patents

Abstract

The embodiment of the disclosure provides an automobile CAN network intrusion detection method and device, electronic equipment and storage media, and relates to the technical field of automobile information security. The method comprises the following steps: acquiring a flow data packet on a CAN bus of a target vehicle in a normal running process, and establishing a normal flow data set according to the flow data packet; counting the ID of each flow data packet in the normal flow data set, and creating an original data set according to the ID of each flow data packet, the attack type and the normal flow data set; extracting ID and data domain information in an original data set as classification features, and establishing a feature data set according to the classification features; constructing a CAN network Stacking intrusion detection model of the target vehicle according to the characteristic data set; and inputting the ID and the data field information in the attack data set into a Stacking intrusion detection model, and predicting whether the CAN of the target vehicle has network intrusion according to the output result. The method provided by the disclosure CAN effectively improve the accuracy and stability of the intrusion detection of the automobile CAN network.

Description

Automobile CAN network intrusion detection method and device, electronic device and storage medium

Technical Field

The present disclosure relates to the field of information security technology for intelligent networked vehicles, and in particular to a method and device for detecting intrusion into a vehicle CAN network, and electronic equipment and a storage medium.

Background technique

With the vigorous development of network technology and automobile technology, modern automobiles have more and more intelligent functions, and the interaction between automobiles and external information is becoming more and more frequent, and the risk of intrusion of vehicle networks is getting higher and higher. In vehicle networks, CAN bus is widely used for its advantages of multiple master controls, high reliability and low cost, but the network security protection mechanism was not considered at the beginning of the design of CAN bus, resulting in great challenges to vehicle network security.

At present, there are mainly the following CAN bus information security detection technologies: data encryption, identity authentication and intrusion detection. The first two mainly use encryption technology and authentication methods to protect the CAN network data, isolate it from the external system, and prevent messages that do not comply with the communication protocol from entering. Intrusion detection designs corresponding algorithms and performs security detection based on data features. The relevant technologies are as follows:

Application publication number CN115314311A discloses a vehicle-mounted intrusion detection method and system based on CAN bus data frames. He uses one-hot encoding to preprocess messages, builds an intrusion detection model based on the GAN algorithm that includes a generator network and a discriminator network, and uses the trained discriminator to monitor CAN network data transmission in real time to protect vehicle safety.

Application publication number CN113612786B discloses an intrusion detection system and method for a vehicle bus. The method includes the following steps: obtaining a CAN message and classifying the CAN frames in the CAN message, verifying the frame format of the CAN frame, verifying the CRC code of the CAN frame, inputting the CAN frame into the constructed adversarial generation network model for abnormality detection, determining whether the CAN message has been subjected to known attacks or unknown attacks, and alarming if it has been subjected to known attacks or unknown attacks. The system described in the invention includes a CAN frame recognition module, a frame format verification module, a CRC verification module, and an adversarial generation neural network detection module.

Application publication number CN109067773A discloses a vehicle-mounted CAN network intrusion detection method and system based on neural network. The invention uses the transmission frequency of CAN network data packets as the input of BP neural network, uses principal component analysis PCA to reduce the dimension of data, detects the transmission frequency of various CAN data packets, uses genetic algorithm to optimize BP neural network, uses engine speed, intake volume, vehicle speed, throttle valve related data as the input of BP neural network, determines whether there is an abnormality in the current network and gives an alarm.

Application publication number CN115051852A discloses a vehicle-mounted CAN bus intrusion detection algorithm based on deep learning. The method includes the following steps: separating the CAN ID and its corresponding flag tag in the data set, converting the separated CAN ID into a decimal floating point number, then segmenting the data set with a step size of 64, using GAF coding to convert the segmented CAN ID sequence into a two-dimensional image, and dividing the training set and the test set to train the model.

Application publication number CN113162902B discloses a low-latency, secure vehicle-mounted intrusion detection method based on deep learning. The method includes the following steps: using one-hot vector encoding to encode the arbitration bit of CAN traffic into a 2-D image, the encoder extracts CAN image features through a generative adversarial network, and introduces random phase θ and imaginary number b to hide and confuse real features, the processor uses a convolutional neural network and attention mechanism in the cloud to extract deep features, and the decoder decodes the deep features and uses a shallow network to identify abnormal traffic.

Application publication number CN113824684A discloses a vehicle network intrusion detection method and system based on transfer learning. The invention extracts 29 consecutive CAN IDs, converts the ID sequence into a feature matrix as input, extracts the time series features of the feature matrix by a detection model based on DenseNet, and extracts the time series features of the feature matrix by a detection model based on GAN, determines whether it meets the unknown attack characteristics, and if so, alarms and stores it as an unknown attack sample. When the number of stored samples reaches a certain number, PCA method is used for dimensionality reduction, and Meanshift method is used to classify the samples after dimensionality reduction, to obtain a pre-classified unknown attack data set, and complete the update of the intrusion detection system.

Application publication number CN114157469A discloses a method and system for detecting variant attacks on vehicle networks based on domain adversarial neural networks. The invention uses USB-CANTOOL software to obtain normal data on real vehicles, selects the ID and data segment of the injected attack, divides the collected data set into source domain data set, target domain data and test data set, extracts data segments of 25 consecutive CAN messages, and outputs the final features after splicing the features obtained by modules with three different convolution kernel sizes, takes the features of known attacks as input, and determines the attack type for output.

"Research on Intrusion Detection System of Vehicle CAN Network Based on Neural Network" proposes a neural network-based intrusion detection method. By analyzing the bus characteristics of the CAN network and the characteristics of each ECU, the neural network model is used to deal with tampering, replay and injection attacks.

"Research and Implementation of Security Gateway Technology for Intelligent Connected Vehicles" proposes a security gateway bus defense mechanism, which uses a hybrid message authentication code and a two-way challenge authentication strategy to determine whether there is an abnormality.

"Research and Implementation of Defense Technology for In-Vehicle Networks of Connected Cars" proposes a dynamic data encryption method for in-vehicle Ethernet based on the idea of mobile target defense, an intrusion detection scheme based on the theoretical knowledge of in-vehicle CAN network communication matrix, and combines the characteristics of in-vehicle communication data to protect the vehicle-connected network.

"Research on Security Mechanisms for Information Security Issues in Internet of Vehicles" proposes a lightweight identity-based certificateless public key authentication system and vehicle group key management mechanism to effectively detect and defend against attack messages.

"Research and Implementation of Intrusion Detection System for Connected Vehicles" proposes an intrusion detection system based on CAN network based on byte-level and bit-level intrusion detection rules, including modules such as data acquisition, data preprocessing, intrusion detection engine, recording and alarm, and rule update.

"Research on Intrusion Detection of In-vehicle Networks Based on Association Rules" proposes an intrusion detection scheme based on periodic CAN networks. It analyzes the correlation and characteristics of message data in the automotive network from the perspective of data mining, thereby discovering the correlation and characteristics between ECUs in the data, and then determining whether there is an attack.

"CAN Network Anomaly Detection Method Based on Renyi Information Entropy" proposes an anomaly detection model based on Renyi information entropy and Renyi divergence. It monitors the anomalies of data domain information from the perspective of ID characteristics, entropy value or message periodicity to ensure the security of the automotive CAN network.

"Research on Vehicle CAN Network Anomaly Detection Based on LSTM Network" proposes a vehicle CAN network anomaly detection model based on LSTM network. This method can effectively detect replay attacks and frame forgery.

"Anomaly Detection of In-Vehicle CAN Network Messages Based on AdaBoost Algorithm" proposes an anomaly detection model for in-vehicle CAN network messages based on the AdaBoost algorithm. It uses the CART decision tree as the basic weak classifier, divides the 64 bits of the message data field into 8 bytes and inputs them into the model to determine whether the message is abnormal.

"A vehicle network anomaly detection method based on support vector machine" proposes an automotive CAN network intrusion detection algorithm based on support vector machine. The information entropy of each byte in the data domain is used as the input of the support vector machine to determine whether it is abnormal.

"CAN-FD Network Anomaly Intrusion Detection Based on Support Vector Machine" proposes a solution based on support vector machine to detect CAN-FD messages. Time information, message identifier ID information and 48 data field information are used as model input to train the model to obtain a classification model to detect anomalies on the CAN bus.

Combined with the specific conditions of intelligent connected vehicles and vehicle networks, the above technologies have several shortcomings: encryption technology involves adjusting the CAN communication protocol and changing the information format of the CAN frame, which is not conducive to actual implementation; the data encryption and decryption process and the identity authentication process will increase the ECU computing burden, affect the real-time communication of the vehicle network, and also cause a certain message to occupy the CAN network for too long; intrusion detection systems, facing complex and diverse algorithms, how to choose the right machine algorithm and how to improve the accuracy are still difficult problems. The principles and sensitivity to data of each algorithm are different. For the same classification problem, the training error and generalization error of the model may be different, causing difficulties in prediction and decision-making. Stacking ensemble learning can integrate multiple sub-learners and use the output of the group learner to compensate for the error. Compared with a single model, it has higher decision-making performance and generalization ability. At present, there is no report on the application of Stacking ensemble learning in automotive CAN network intrusion detection.

Summary of the invention

The automobile CAN network intrusion detection method provided by the present disclosure can effectively improve the accuracy and stability of automobile CAN network intrusion detection.

According to a first aspect of an embodiment of the present disclosure, a method for detecting intrusion in a CAN network of an automobile is provided, the method comprising:

Acquire traffic data packets on the CAN bus of the target vehicle during normal driving, and establish a normal traffic data set based on the traffic data packets;

Counting the ID of each of the traffic data packets in the normal traffic data set, and creating an original data set according to the ID of each of the traffic data packets, the attack type and the normal traffic data set;

Extracting ID and data domain information from the original data set as classification features, and establishing a feature data set based on the classification features;

Constructing a CAN network Stacking intrusion detection model of the target vehicle according to the feature data set;

The ID and data domain information in the attack data set are input into the Stacking intrusion detection model, and the output result is used to predict whether the CAN of the target vehicle has been network intruded.

In one embodiment, constructing the CAN network Stacking intrusion detection model of the target vehicle according to the feature data set includes:

Randomly extract part of the feature data in the feature data set according to a preset ratio as a training set S, and the rest of the feature data as a test set P;

The training set is divided into n+1 subsets S1, S2, ..., Sn+1, and the first i subsets are selected in turn to train base classifiers; wherein the base classifiers include support vector machine base classifiers, random forest base classifiers, k-nearest neighbor algorithm base classifiers and multi-layer perception base classifiers;

Use the trained base classifier to predict the i+1th subset and output the prediction result, and repeat this process n times to obtain all the prediction results of the base classifier;

Combining all the prediction results to obtain a target training set N;

The target training set N is used to train a gradient decision tree classifier to obtain a CAN network Stacking intrusion detection model of the target vehicle.

In one embodiment, inputting the ID and data domain information in the feature data set into the Stacking intrusion detection model, and predicting whether the CAN of the target vehicle has network intrusion according to the output result includes:

The test set P is estimated using the CAN network Stacking intrusion detection model of the target vehicle to obtain an intrusion detection result;

Input the ID and data domain information in the feature data set into the support vector machine base classifier, the random forest base classifier, the k-nearest neighbor algorithm base classifier and the multi-layer perception base classifier respectively to obtain test values P1, P2, P3 and P4;

Input the test value P1, the test value P2, the test value P3 and the test value P4 as CAN message features into the CAN network Stacking intrusion detection model of the target vehicle, and estimate the abnormal state of the corresponding CAN message according to the output result;

Predict whether there is network intrusion in the CAN of the target vehicle based on the abnormal state of the corresponding CAN message.

In one embodiment, the method further comprises: using the trained base classifier to predict the i+1th subset and outputting the prediction result, and repeating this process n times to obtain all the prediction results of the base classifier.

Input the data in the test set P into the support vector machine base classifier, the random forest base classifier, the k-nearest neighbor algorithm base classifier and the multi-layer perceptron base classifier respectively;

According to the output results and the evaluation indexes, the support vector machine base classifier, the random forest base classifier, the k-nearest neighbor algorithm base classifier and the multi-layer perception base classifier are evaluated respectively.

In one embodiment, before inputting the test values P1, P2, P3 and P4 as CAN message features into the CAN network Stacking intrusion detection model of the target vehicle and estimating the abnormal state of the corresponding CAN message according to the output result, the method further includes:

Input the data in the test set P into the CAN network Stacking intrusion detection model of the target vehicle;

According to the output results and evaluation indicators, the CAN network Stacking intrusion detection model of the target vehicle is evaluated.

In one embodiment, the evaluation index includes at least one of ROC curve, AUC area and accuracy.

According to a second aspect of an embodiment of the present disclosure, a vehicle CAN network intrusion detection device is provided, the device comprising:

An acquisition module is used to acquire traffic data packets on the CAN bus of the target vehicle during normal driving, and to establish a normal traffic data set based on the traffic data packets;

A statistics module, which counts the ID of each of the traffic data packets in the normal traffic data set, and creates an original data set according to the ID of each of the traffic data packets, the attack type and the normal traffic data set;

An extraction module extracts the ID and data domain information in the original data set as classification features, and establishes a feature data set based on the classification features;

A construction module is used to construct a CAN network Stacking intrusion detection model of the target vehicle according to the attack data set and the feature data set;

The prediction module inputs the ID and data domain information in the feature data set into the Stacking intrusion detection model, and predicts whether the CAN of the target vehicle has network intrusion based on the output result.

In one embodiment, the building blocks include:

The extraction submodule randomly extracts part of the feature data in the feature data set as a training set S according to a preset ratio, and the remaining feature data as a test set P;

A sub-module is used to divide the training set into n+1 subsets S1, S2, ..., Sn+1, and the first i subsets are selected in turn to train base classifiers; wherein the base classifiers include a support vector machine base classifier, a random forest base classifier, a k-nearest neighbor algorithm base classifier, and a multi-layer perception base classifier;

The prediction submodule uses the trained base classifier to predict the i+1th subset and outputs the prediction result, and repeats this process n times to obtain all the prediction results of the base classifier;

A combination submodule combines all the prediction results to obtain a target training set N;

The training submodule uses the target training set N to train a gradient decision tree classifier to obtain a CAN network Stacking intrusion detection model of the target vehicle.

According to a third aspect of an embodiment of the present application, a computer device is provided, comprising: a memory and a processor, wherein the memory stores a computer program, and the processor implements the steps of any of the above methods when executing the computer program.

According to a fourth aspect of the embodiments of the present application, a computer-readable storage medium is provided, on which a computer program is stored. When the computer program is executed by a processor, the steps of any of the above methods are implemented.

The automobile CAN network intrusion detection method provided by the present invention establishes a Stacking intrusion detection model based on the ID and data domain characteristics of real vehicle CAN messages. The Stacking intrusion detection model integrates the prediction results of four base classifiers, and the parameters of the four base classifiers are optimized through a tree structured Parzen estimator and cross-validation, thereby effectively improving the accuracy and stability of automobile CAN network intrusion detection.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG1 is a flow chart of a method for detecting intrusion into a vehicle CAN network provided by an embodiment of the present disclosure.

FIG2 is a flow chart of the automobile CAN network intrusion detection method provided by the present disclosure.

FIG3 is a logic diagram of the automobile CAN network intrusion detection method provided by the present disclosure.

FIG4 is an architecture diagram of an automobile CAN network intrusion detection device provided by an embodiment of the present disclosure.

FIG5 is an architecture diagram of an automobile CAN network intrusion detection device provided by an embodiment of the present disclosure.

FIG. 6 is a schematic diagram of the computer device structure provided by an embodiment of the present disclosure.

Detailed ways

Exemplary embodiments will be described in detail herein, examples of which are shown in the accompanying drawings. When the following description refers to the drawings, the same numbers in different drawings represent the same or similar elements unless otherwise indicated. The embodiments described in the following exemplary embodiments do not represent all embodiments consistent with the present disclosure. Instead, they are merely examples of devices consistent with some aspects of the present disclosure as detailed in the appended claims.

FIG1 is a flow chart of a method for detecting intrusion into an automobile CAN network provided in an embodiment of the present disclosure.

As shown in FIG1 , the method includes:

Step 101, obtaining a flow data packet on the CAN bus during normal driving of the target vehicle, and establishing a normal flow data set according to the flow data packet;

In this step, the real-time communication traffic data packets on the CAN bus of the target vehicle during normal driving are collected through the vehicle-mounted OBD-II port. The collection time is 10 minutes, and the data packets are saved in the normal data traffic data set.

Step 102: Count the ID of each traffic data packet in the normal traffic data set, and create an original data set according to the ID of each traffic data packet, the attack type and the normal traffic data set;

In this step, a rejection attack dataset is constructed by injecting high-priority data frames into the normal traffic dataset; a replay attack dataset is constructed by injecting duplicate messages into the normal traffic dataset; an injection attack dataset is constructed by injecting illegal messages into the normal traffic dataset; a discard attack dataset is constructed by randomly discarding normal messages in the normal traffic dataset. Finally, the original dataset containing the normal traffic dataset, the rejection attack dataset, the duplicate attack dataset, the injection attack dataset and the discard attack dataset is obtained.

Exemplarily, by counting the ID data packets of the normal data traffic data set, it is obtained that the number of IDs of the electronic control unit in the vehicle is 55. By injecting a high-priority data frame ID=0x000 into the normal traffic data set, a rejection attack data set is constructed; by injecting repeated messages of ID=0x0BA, ID=0x2C1, and ID=0x2C4 into the normal traffic data set, a replay attack data set is constructed; by injecting illegal messages of ID=0x001, ID=0x010, and ID=0x100 into the normal traffic data set, an injection attack data set is constructed; by randomly discarding normal messages of ID=0x2D0, ID=0X2D5, and ID=0x3B3 in the normal traffic data set, a discard attack data set is constructed; finally, an original data set including a normal category data set, a rejection attack data set, a repeated attack data set, an injection attack data set, and a discard attack data set is obtained.

Step 103: extracting the ID and data domain information in the original data set as classification features, and establishing a feature data set according to the classification features;

In this step, the ID and data domain information in the original data set are extracted as classification features to obtain a feature data set.

Step 104: construct a CAN network Stacking intrusion detection model of the target vehicle according to the feature data set;

In this step, the Stacking intrusion detection model is composed of two layers of models. In the first layer, the base classifier in this example uses "support vector machine base classifier", "random forest base classifier", "k nearest neighbor algorithm base classifier" and "multilayer perceptron base classifier". In this example, the second layer meta classifier uses "gradient boosting decision tree" to stack the prediction probabilities of the four base classifiers to form a new feature set for training to obtain the final integrated model.

As shown in FIG2 , constructing the CAN network Stacking intrusion detection model of the target vehicle according to the feature data set includes:

Step 201: randomly extract part of the feature data in the feature data set according to a preset ratio as a training set S, and the rest of the feature data as a test set P;

Exemplarily, in this embodiment, 60% of the feature data in the feature data set can be randomly extracted as a training set S, and 40% of the feature data can be used as a test set P.

Step 202: Divide the training set into n+1 subsets S1, S2, ..., Sn+1, and select the first i subsets in turn to train base classifiers; wherein the base classifiers include support vector machine base classifiers, random forest base classifiers, k-nearest neighbor algorithm base classifiers and multilayer perceptron base classifiers; wherein n and i are both natural numbers, and N≥1, i≥1.

In the steps, it is necessary to establish a support vector machine based classifier prediction model, a random forest based classifier prediction model, a k-nearest neighbor algorithm based classifier prediction model, and a multi-layer perceptron based classifier prediction model respectively. The specific establishment method is as follows:

A support vector machine (SVM) prediction model was established. The specific method was as follows: the data in the training set S was brought into the support vector machine model for training, and the optimal hyperparameters of the SVM model were searched using the tree structured Parzen estimator and cross-validation, where the important parameter penalty parameter c was 0.1, the kernel function (kernel) was "precomputed", and the kernel function parameter (gamma) was "auto". The support vector machine model was established based on the training set data using the optimal parameter combination obtained by the search.

A random forest (RF) prediction model was established. The specific method was as follows: the data in the training set S was brought into the supporting random forest model for training, and the optimal hyperparameters of the random forest model were screened using the tree structure Parzen estimator and cross-validation. The number of basic decision trees (n_estimators) was 100, the maximum depth (max_depth) of each basic decision tree model was 100, and the Boolean value (bootstrap) was True, that is, the sampling method bootstrapsampling was used to generate training data for the decision tree, and the random forest model was established based on the training set data using the optimal parameter combination obtained by search.

A k-nearest neighbor (KNN) prediction model was established. The specific method was as follows: the data in the training set S was brought into the k-nearest neighbor algorithm for training, and the optimal hyperparameters of the k-nearest neighbor algorithm were screened using the tree structure Parzen estimator and cross-validation. The number of neighbor samples (n_neighbors) was 10, the voting weights of the neighbor samples were specified as "uniform", that is, the voting weights of all neighbor samples were consistent, the search algorithm for neighbor samples was "kd_tree", and the minimum number of samples contained in the tree leaf nodes (leaf_size) was specified as 30. Based on the training set data, the k-nearest neighbor algorithm model was established using the optimal parameter combination obtained by the search.

A multi-layer perceptron (MLP) prediction model is established. The specific method is as follows: the data in the training set S is brought into the multi-layer perceptron for training. The optimal hyperparameters of the multi-layer perceptron are screened by using the tree structure Parzen estimator and cross-validation. The number of hidden layers (hidden_layer_sizes) is 5, and the number of nodes in each hidden layer is 32, 64, and 128 respectively. The optimization method (solver) is "adam". Based on the training set data, the multi-layer perceptron model is established using the optimal parameter combination obtained by search.

Step 203: Use the trained base classifier to predict the i+1th subset and output the prediction result, and repeat this process n times to obtain all the prediction results of the base classifier;

In this step, the trained support vector machine base classifier prediction model, random forest base classifier prediction model, k nearest neighbor algorithm base classifier prediction model and multi-layer perceptron base classifier are used to predict the i+1th data subset respectively, and the prediction results are output. This is repeated n times to obtain all the prediction results of the support vector machine base classifier prediction model, random forest base classifier prediction model, k nearest neighbor algorithm base classifier prediction model and multi-layer perceptron base classifier.

Step 204: combine all the prediction results to obtain a target training set N;

In this step, all prediction results are output as new feature sets. m base classifiers are verified m times to obtain m new features, that is, m new feature sets. The new feature sets are then combined to obtain a training set N.

Step 205: Use the target training set N to train a gradient decision tree classifier to obtain a CAN network Stacking intrusion detection model of the target vehicle.

It can be understood that, in this step, before using the target training set N to train the gradient decision tree classifier to obtain the CAN network Stacking intrusion detection model of the target vehicle, it is necessary to first establish a gradient decision tree classifier model.

A gradient decision tree classifier model is established. The specific method is as follows: the training set data is brought into the gradient boosting decision tree for training. The optimal hyperparameters of the gradient boosting decision tree are screened by using the tree structure Parzen estimator and cross-validation. The maximum number of iterations (n_estimators) is 100, the learning rate (learning_rate) is 1, the subsampling (subsample) is 0.5, and the loss function (loss) is "deviance". Based on the training set data, the gradient decision tree classifier model is established using the optimal parameter combination obtained by search.

Step 105: Input the ID and data domain information in the attack data set into the Stacking intrusion detection model, and predict whether there is network intrusion on the CAN of the target vehicle based on the output result.

In one embodiment, inputting the ID and data domain information in the feature data set into the Stacking intrusion detection model, and predicting whether the CAN of the target vehicle has network intrusion according to the output result includes:

The test set P is estimated using the CAN network Stacking intrusion detection model of the target vehicle to obtain an intrusion detection result;

Input the ID and data domain information in the feature data set into the support vector machine base classifier, the random forest base classifier, the k-nearest neighbor algorithm base classifier and the multi-layer perception base classifier respectively to obtain test values P1, P2, P3 and P4;

Input the test value P1, the test value P2, the test value P3 and the test value P4 as CAN message features into the CAN network Stacking intrusion detection model of the target vehicle, and estimate the abnormal state of the corresponding CAN message according to the output result;

Predict whether there is network intrusion on the CAN of the target vehicle based on the abnormal status of the corresponding CAN message.

Optionally, the method further comprises: using the trained base classifier to predict the i+1th subset and outputting the prediction result, and repeating this process n times to obtain all the prediction results of the base classifier.

Input the data in the test set P into the support vector machine base classifier, the random forest base classifier, the k-nearest neighbor algorithm base classifier and the multi-layer perceptron base classifier respectively;

According to the output results and the evaluation indexes, the support vector machine base classifier, the random forest base classifier, the k-nearest neighbor algorithm base classifier and the multi-layer perception base classifier are evaluated respectively.

Optionally, before inputting the test value P1, the test value P2, the test value P3 and the test value P4 as CAN message features into the CAN network Stacking intrusion detection model of the target vehicle and estimating the abnormal state of the corresponding CAN message according to the output result, the method further includes:

Input the data in the test set P into the CAN network Stacking intrusion detection model of the target vehicle;

According to the output results and evaluation indicators, the CAN network Stacking intrusion detection model of the target vehicle is evaluated.

The evaluation index includes at least one of ROC curve, AUC area and accuracy.

In this embodiment, according to the output results and evaluation indicators, the support vector machine base classifier, random forest base classifier, k-nearest neighbor algorithm base classifier, multi-layer perception base classifier and Stacking intrusion detection model are evaluated respectively, and the results obtained are shown in Table 1 below.

Table 1

According to the data in Table 1, the random forest base classifier RF has the highest accuracy, with a test accuracy of 88.51% and an area under the curve AUC value of 0.98. The prediction accuracy of the integrated Stacking intrusion detection model can reach 92.18%, which is better than the prediction effect of a single model. It also shows that the Stacking intrusion detection model in this embodiment combines the advantages of four classification models, is more stable and reliable, and is more comprehensive and balanced in terms of accuracy and coverage of automotive CAN network intrusion detection, and has higher credibility and predictive power.

The automobile CAN network intrusion detection method provided by the present invention establishes a Stacking intrusion detection model based on the ID and data domain characteristics of real vehicle CAN messages. The Stacking intrusion detection model integrates the prediction results of four base classifiers, and the parameters of the four base classifiers are optimized through a tree structured Parzen estimator and cross-validation, thereby effectively improving the accuracy and stability of automobile CAN network intrusion detection.

FIG3 is a logic diagram of an automobile CAN network intrusion detection method provided by an embodiment of the present disclosure.

FIG4 is an architecture diagram of an automobile CAN network intrusion detection device provided by an embodiment of the present disclosure. As shown in FIG4, the device includes: an acquisition module 401, a statistics module 402, an extraction module 403, a construction module 404 and a prediction module 405; wherein the acquisition module 401 is used to acquire the traffic data packets on the CAN bus of the target vehicle during normal driving, and establish a normal traffic data set according to the traffic data packets; the statistics module 402 is used to count the ID of each traffic data packet in the normal traffic data set, and create an original data set according to the ID, attack type and normal traffic data set of each traffic data packet; the extraction module 403 is used to extract the ID and data domain information in the original data set as classification features, and establish a feature data set according to the classification features; the construction module 404 is used to construct the CAN network Stacking intrusion detection model of the target vehicle according to the attack data set and the feature data set; the prediction module 405 is used to input the ID and data domain information in the feature data set into the Stacking intrusion detection model, and predict whether the CAN of the target vehicle has network intrusion according to the output result.

FIG5 is an architecture diagram of an automobile CAN network intrusion detection device provided by an embodiment of the present disclosure. As shown in FIG5 , the device includes: an acquisition module 501, a statistics module 502, an extraction module 503, a construction module 504, and a prediction module 505; wherein the construction module 504 includes an extraction submodule 5041, a division submodule 5042, a prediction submodule 5043, a combination submodule 5044, and a training submodule 5045; wherein the extraction submodule 5041 is used to randomly extract part of the feature data in the feature data set as a training set S according to a preset ratio, and the remaining feature data as a test set P; the division submodule 5042 is used to divide the training set into n+1 subsets S1, S2, ..., Sn+1, and select the first i subsets in turn. Subset training base classifier; wherein the base classifier includes a support vector machine base classifier, a random forest base classifier, a k-nearest neighbor algorithm base classifier and a multi-layer perceptron base classifier; the prediction submodule 5043 is used to use the trained base classifier to predict the i+1th subset and output the prediction result, and this is repeated n times to obtain all the prediction results of the base classifier; the combination submodule 5044 is used to combine all the prediction results to obtain the target training set N; the training submodule 5045 is used to use the target training set N to train the gradient decision tree classifier to obtain the CAN network Stacking intrusion detection model of the target vehicle.

The present disclosure also provides a computer device, the internal structure diagram of which can be shown in Figure 6. The computer device includes a processor, a memory, a network interface and a database connected through a system bus. Among them, the processor of the computer device is used to provide computing and control capabilities. The memory of the computer device includes a non-volatile storage medium and an internal memory. The non-volatile storage medium stores an operating system, a computer program and a database. The internal memory provides an environment for the operation of the operating system and the computer program in the non-volatile storage medium. The database of the computer device is used to store data. The network interface of the computer device is used to communicate with an external terminal through a network connection. When the computer program is executed by the processor, a method for detecting an intrusion in a car CAN network as described above is implemented. It includes: a memory and a processor, the memory stores a computer program, and when the processor executes the computer program, any step in the method for detecting an intrusion in a car CAN network as described above is implemented.

The present disclosure also provides a computer-readable storage medium on which a computer program is stored. When the computer program is executed by a processor, any step in the above-mentioned automobile CAN network intrusion detection can be implemented.

Those skilled in the art can understand that all or part of the steps of implementing the above-mentioned method embodiments can be completed by hardware related to program instructions. The aforementioned program can be pre-stored in a computer-readable storage medium. When the program is executed, the steps of the above-mentioned method embodiments are executed; and the aforementioned storage medium includes: ROM, RAM, disk or optical disk and other media that can store program codes.

Those skilled in the art will readily appreciate other embodiments of the present disclosure after considering the specification and practicing the disclosure disclosed herein. The present disclosure is intended to cover any variations, uses, or adaptations of the present disclosure that follow the general principles of the present disclosure and include common knowledge or customary techniques in the art that are not disclosed in the present disclosure. The description and examples are to be considered exemplary only, and the true scope and spirit of the present disclosure are indicated by the following claims.

It should be understood that the present disclosure is not limited to the exact structures that have been described above and shown in the drawings, and that various modifications and changes may be made without departing from the scope thereof. The scope of the present disclosure is limited only by the appended claims.

Claims (10)

1. An intrusion detection method for an automobile CAN network, comprising:

Acquiring a flow data packet on a CAN bus of a target vehicle in a normal running process, and establishing a normal flow data set according to the flow data packet;

counting the ID of each flow data packet in the normal flow data set, and creating an original data set according to the ID of each flow data packet, the attack type and the normal flow data set;

Extracting ID and data domain information in the original data set as classification features, and establishing a feature data set according to the classification features;

constructing a CAN network Stacking intrusion detection model of the target vehicle according to the characteristic data set;

And inputting the ID and the data field information in the attack data set into a Stacking intrusion detection model, and predicting whether the CAN of the target vehicle has network intrusion according to an output result.

2. The method of claim 1, wherein constructing a CAN network Stacking intrusion detection model of the target vehicle from the feature dataset comprises:

Randomly extracting part of characteristic data in the characteristic data set according to a preset proportion to serve as a training set S, and the rest of characteristic data serves as a test set P;

Dividing the training set into n+1 subsets S1, S2, … and Sn+1, and sequentially selecting the training base classifiers of the first i subsets; the base classifier comprises a support vector machine base classifier, a random forest base classifier, a k-nearest neighbor algorithm base classifier and a multi-layer perception base classifier;

predicting the (i+1) th subset by using the trained base classifier, outputting a prediction result, and repeating the process for n times to obtain all the prediction results of the base classifier;

combining all the prediction results to obtain a target training set N;

And training a gradient decision tree classifier by using the target training set N to obtain a CAN network Stacking intrusion detection model of the target vehicle.

3. The method of claim 2, wherein inputting the ID and data field information in the feature dataset into a Stacking intrusion detection model and predicting whether a network intrusion exists in the CAN of the target vehicle based on the output result comprises:

Estimating the test set P by using a CAN network Stacking intrusion detection model of the target vehicle to obtain an intrusion detection result;

respectively inputting the ID and the data domain information in the characteristic data set into the support vector machine base classifier, the random forest base classifier, the k nearest neighbor algorithm base classifier and the multi-layer perception base classifier to obtain a test value P1, a test value P2, a test value P3 and a test value P4;

Respectively inputting the test value P1, the test value P2, the test value P3 and the test value P4 as CAN message characteristics into a CAN network Stacking intrusion detection model of the target vehicle, and estimating an abnormal state of a corresponding CAN message according to an output result;

Predicting whether network intrusion exists in the CAN of the target vehicle according to the abnormal state of the corresponding CAN message.

4. A method according to claim 3, wherein the predicting the i+1st subset by using the trained base classifier and outputting the predicted result is repeated n times, and before obtaining all the predicted results of the base classifier, the method further comprises:

respectively inputting the data in the test set P into the support vector machine base classifier, the random forest base classifier, the k neighbor algorithm base classifier and the multi-layer perception machine base classifier;

and respectively evaluating the support vector machine base classifier, the random forest base classifier, the k neighbor algorithm base classifier and the multi-layer perception base classifier according to the output result and the evaluation index.

5. The method of claim 4, wherein before inputting the test value P1, the test value P2, the test value P3, and the test value P4 as CAN message characteristics into the CAN network Stacking intrusion detection model of the target vehicle, and estimating an abnormal state of a corresponding CAN message according to an output result, the method further comprises:

Inputting the data in the test set P to a CAN network Stacking intrusion detection model of the target vehicle;

and evaluating the CAN network Stacking intrusion detection model of the target vehicle according to the output result and the evaluation index.

6. The method of claim 4 or 5, wherein the evaluation index comprises at least one of ROC curve, AUC area, and accuracy.

7. An automotive CAN network intrusion detection device, the device comprising:

the acquisition module acquires a flow data packet on the CAN bus in the normal running process of the target vehicle, and establishes a normal flow data set according to the flow data packet;

The statistics module is used for counting the ID of each flow data packet in the normal flow data set and creating an original data set according to the ID of each flow data packet, the attack type and the normal flow data set;

The extraction module is used for extracting ID and data domain information in the original data set as classification features and establishing a feature data set according to the classification features;

The construction module is used for constructing a CAN network Stacking intrusion detection model of the target vehicle according to the attack data set and the characteristic data set;

and the prediction module inputs the ID and the data field information in the characteristic data set into a Stacking intrusion detection model, and predicts whether the CAN of the target vehicle has network intrusion according to an output result.

8. The apparatus of claim 7, wherein the build module comprises:

the extraction submodule randomly extracts part of characteristic data in the characteristic data set according to a preset proportion to serve as a training set S, and the rest of characteristic data serves as a test set P;

Dividing the training set into n+1 subsets S1, S2, … and Sn+1 by a sub-module, and sequentially selecting the training base classifiers of the first i subsets; the base classifier comprises a support vector machine base classifier, a random forest base classifier, a k-nearest neighbor algorithm base classifier and a multi-layer perception base classifier;

the prediction sub-module predicts the (i+1) th sub-set by using the trained base classifier, outputs a prediction result, and repeatedly performs the above steps for n times to obtain all the prediction results of the base classifier;

The combination sub-module is used for combining all the prediction results to obtain a target training set N;

And the training sub-module is used for training a gradient decision tree classifier by using the target training set N to obtain the CAN network Stacking intrusion detection model of the target vehicle.

9. A computer device, comprising: comprising a memory and a processor, said memory storing a computer program, characterized in that the processor implements the steps of the method according to any one of claims 1 to 8 when said computer program is executed.

10. A computer readable storage medium, on which a computer program is stored, characterized in that the computer program, when being executed by a processor, implements the steps of the method of any of claims 1 to 8.